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e CP) TOYOTA 
For hackers, Big Brands are... 
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TFS’ Global VM Strategy & Approach 


E Incorporate the global VM program on the global security roadmap 
Continuous 


@ Plan-Do-Check-Act @ © 
É È 
® Continuous improvement (coe 


® Respect for people 


E Implement an operational and managerial 
VM program in all offices worldwide 


E Adapt Toyota’s Kaizen Principles 


D 


Improvemen 


Sr o 
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os” “PLAN” The Global VM Program Initiative 


Set the global Scope the global program 
program objectives 
= _ Assess 


Validate 


Improve the security posture of 
local offices and company-wide 


Provide local offices a prescriptive 
approach to VM 


Establish global VM framework 


TOYOTA 


= 


Analyze 


= Remediate J 


Identify key sponsors Prepare the Obtain corporate 
and stakeholders business plan leadership approval 
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©" “PLAN” The Global VM Program Project 


Establish the T-E-A-M Prepare the plan Clarify the problem 
avert 
Ques 
Quesos 
gosn 
Define the Solicit & evaluate Select solution & 
requirements alternative solutions consummate the contract 
We Need: Oo # 
[afcon at 34 offices , 
ARNA & regional QUALYS RAPID¥) 
<< L T 9 symantec. UM Af ° 
Easy deployment & cATee' UALY Ss - < 
administration neircle’ Q 
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os” “DO” The Global VM Program Deployment 


Engage the Qualys TAM 


QUALYS’ 


Execute a pilot 
deployment 


QUALYS 


Feb. 2014 


Develop the global 
deployment plan 


ecklis' x 
\ 
n ation checkiis' F> i 
Installation & Configuration > 
= = 


=n 
On-going Support 


Setup the global 


subscription in QualysGuard 


walysGuard Secure Operations Centers (SOCs) 


> 


Web User intertace 
Quais Guara Loge 
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Conduct site analysis 


Develop standards & 
procedures 


Validate 
> 


o s — 


Remediate 


= N 
FACT Te RenaS 
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os” “DO” The Global VM Program Deployment 


Set up training Roll out in regions Ship appliances 


QualysGuard Vulnerability Management Video | Americas Europe/ Asia Pacific 
Series 


Africa 


1106 on Jul 16 2010 4:31PM - Last modifi etmmagine on Dec 18, 2013 4:56 PM ~ 


New to QualysGuard VM? View these shor 
about d VM We’ 


inerability Management (8 mins) 
d User Interface (5 mins) 


— Munerabiiies by Sever 


Install the applianc Test & validate scanning 


Corporate Intranet 


Intranet Scanner 


i 7 7 ai pi 
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os” “DO” The Global VM Program Deployment 


Implement operational 


à Generate operational reports 
VM scanning 


Scan 
Reports 


Scorecards 


Asset Tags Asseł Groups 
Implement or improve Implement a remediation 


the porening process framework 


$ Java 
E 


Witid 
nat "A 
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eze “CH ECK” The Global VM Program Implementation 
Set up global administrative & Weekly regional Get feedback from 
operational support collaboration local offices 


Y 


Set up compliance & 
audit reporting 
* 


v 
va 


ap ÀY. 
Gc Ly 


Monitor & track activity 
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©" “ACT” The Global VM Program Implementation 
Communicate progress to Refine standards & 
stakeholders & partners processes 


Initiate Web Application Initiate Global VM program 


Scanning & Policy Compliance improvements 
Web Application Scanning 
identify and manage web application security 


Policy Compliance 
PC Detine an d monto r IT se curity standards 
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TFS’ Global VM Program 


Our Action: 


Our Objective: f 
Protect our Brand Establish the 


Global VM Program 


+ Monthly scheduled scanning 

+ Monthly patch update cycles 

+» Monthly metrics & KRis 
QUALYS’ * Web Application Scanning 

+ Policy Compliance 


92a, Global 
= SA Management & 
Administration 
Regional Management 
& Administration 


Í TOYOTA 


-C So l 
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Å Local administration & operations 
Asa © Americas “Europe 
. . * . . 


T> | Lets 
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Toyota | Places 


Our Direction: 


Follow the Toyota Way 


Continuous 


improvement 
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Keys to Success 
E Global leadership sponsorship 
) TOYOTA ® Global Security, Risk, & IT 
cumma l E Communicate, communicate, communicate 
© Global Vulnerability l ee 
“ns Management Program ® Corporate, regional, & individual countries 


E QualysGuard Solution 


® Fully functional, rapid deployment, scalable, 
reliable, low maintenance 


T-E-A-M-W-O-R-K 
® Horizontally & vertically 
Plan-Do-Check-Act 


© Continuous improvement & respect for people 
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THANKS YOU! 
QUESTIONS? 
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nda 


protect the Brand? 


ac. Target, Nordstrom's, TJ Maxx, 
Citibank, Google, Yahoo 
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Ke 
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What do these companies have in common? 
Toyota 

Quality, customer loyalty, 

What keeps up our CEO, CIO, & CISO? 
Incident response 

It not a matter of if but when 


points 


RFP 
Evaluation, proof of concept 
Selection and contract negotiations 
Global drivers 
> Cultural change 
Scoping & Planning 
> 34 SFCs not connected or integrated 
> Vulnerabilities, websites, compliance 
>» — Deployment plan 
Global Team — Qualys Technical Account Manager (TAM); regional teams 
Global policies, standards & baselines 
Communications with each SFC (country) 
> — Small deployments, no dedicated security 
Average of three months for testing 
Deployment plan: Map, vuln scan, authentication, WAS, PC 
Qualys business unit/asset group/ asset tag structure 
Physical versus virtual scanners 
Pros/Cons 
Resistance from IT, developers 
Global administration — collaboration; leveraging tools for security 


SDLC (WAS & VM scanning), operational scans, patch management, baseline configurations 


SIEM integration, CMDB 
Prioritize patching 
Authentication, firewalls 


ee Call 


3/14/14 


KRI — Define risk; risk management 


Intarnahinnal viilnarahilinac 
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Road map to global deployment 


E Key points 


3/14/14 


RFP 
Evaluation, proof of concept 
Selection and contract negotiations 
Global drivers 
>» Cultural change 
Scoping & Planning 
> 34 SFCs not connected or integrated 
>» Vulnerabilities, websites, compliance 
>» Deployment plan 
Global Team — Qualys Technical Account Manager (TAM); regional teams 
Global policies, standards & baselines 


Communications with each SFC (country) 
>» — Small deployments, no dedicated security 


Average of three months for testing 

Deployment plan: Map, vuln scan, authentication, WAS, PC 

Qualys business unit/asset group/ asset tag structure 

Physical versus virtual scanners 

Pros/Cons 

Resistance from IT, developers 

Global administration — collaboration; leveraging tools for security 

SDLC (WAS & VM scanning), operational scans, patch management, baseline configurations 
SIEM integration, CMDB 

Prioritize patching 

Authentication, firewalls 

Overlapping IPs 

KRI — Define risk; risk management 

International vulnerabilities 

Analysis of vulnerabilities, discovery of assets; printers, VOIP, cameras, etc. 
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